Episode III: Revenge of the React Vulnerabilities

Justin Dorfman

Stephanie Jarmak

Travis Lyons

December 12, 2025

The fight against React2Shell is not over.

Just days after the initial disclosure of the critical Remote Code Execution (RCE) flaw, CVE-2025-55182, security researchers found that the initial patches were insufficient. This led to a new set of high-severity flaws in the same vulnerable component: React Server Components (RSC). In response to this CVE, we published a series of blog posts (see Part 1, which addresses Code Search for identifying code impacted by this CVE, and Part 2, which demonstrates how to apply the fix).

However, what appeared to be a resolved incident instead revealed a second wave of vulnerabilities triggered by incomplete fixes.

New Disclosures: DoS and Source Code Exposure

The new official disclosure from the React team confirms the existence of three new CVEs. These vulnerabilities affect the same core packages (react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack):

Severity	Type	CVEs	Impact
High	Denial of Service (DoS)	CVE-2025-55184 , CVE-2025-67779	Attackers can trigger an infinite loop by sending a malicious request, which can cause the server process to hang and result in system-wide outages.
Medium	Source Code Exposure	CVE-2025-55183	Malicious requests can expose the source code of Server Functions, potentially leaking hardcoded secrets, such as credentials.

Critical Warning: The False Patch

Many organizations patched to intermediate versions, which the React team has now confirmed are still vulnerable to the new DoS issues.

If you updated to versions 19.0.2, 19.1.3, or 19.2.2, you are still exposed.

**Identifying All Remaining Vulnerabilities**

To find every single repository using a vulnerable version, including the partially-patched ones, you need a precise and comprehensive Code Search query.

This updated regex targets any dependency lock between major version 19.0.0 and the last known unsafe patch, 19.2.2.

context:global file:package.json "react-server-dom-(webpack|parcel|turbopack)":\s*"[~^]?(19\.[0-2]\.[0-2])" patterntype:regexp

Use Sourcegraph Code Search to run this query across your entire codebase and instantly generate a comprehensive list of projects that require remediation.

Final Fix: Complete Remediation at Scale

The final, fully safe versions are: 19.0.3, 19.1.4, and 19.2.3. To address the newly disclosed React Server Components DoS and source exposure vulnerabilities (and to correct false-confidence upgrades), adapt this updated Batch Change spec and follow the instructions from Part 2 of this series to use the spec to apply a Batch Change across affected codebases. This version detects all partially patched React 19.x dependencies and automatically upgrades them to the final safe releases (19.0.3, 19.1.4, 19.2.3), ensuring complete remediation across your entire codebase.

Don't let the revenge of the React vulnerabilities catch you twice. Find the affected code, apply the definitive fix, and use Sourcegraph to ensure your victory.

Subscribe for the latest code AI news and product updates

Ready to accelerate
how you build software?

Use Sourcegraph to industrialize your software development